> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tesouro.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Changelog

> Updates and improvements to the Tesouro Underwriting API.

<Update label="July 13, 2026" tags={["Breaking change", "Added"]}>
  ### Breaking: `SELECT_MULTIPLE` removed from `UnderwritingDynamicFieldType`

  `SELECT_MULTIPLE` is removed from the `UnderwritingDynamicFieldType` enum.

  ### `agentReview` query on underwriting applications

  `agentReview` returns the latest AI agent review for an underwriting application. New types: `UnderwritingApplicationAgentReview` and `UnderwritingApplicationAgentReviewComponent`. New enums: `UnderwritingApplicationAgentReviewDisposition` (`LIKELY_PROBLEM`, `LOOKS_ACCEPTABLE`, `NEEDS_A_CLOSER_LOOK`, `NOT_YET_ASSESSABLE`) and `UnderwritingApplicationAgentReviewStatus` (`COMPLETED`, `FAILED`, `IN_PROGRESS`, `NOT_STARTED`).
</Update>

<Update label="July 9, 2026" tags={["Changed"]}>
  ### `displayInformation` masks sensitive PII on application events

  `displayInformation` on `ApplicationEvent` masks sensitive PII field values such as names and addresses instead of showing plaintext. Original values remain accessible via the `revealChange` resolver.
</Update>

<Update label="July 3, 2026" tags={["Added"]}>
  ### `dynamicFields` on applications and decision components

  `UnderwritingApplication` exposes `dynamicFields` and `dynamicField` resolvers for retrieving dynamic field values from the org-applicable catalog, optionally scoped to a decision-component item. `DecisionComponentItem` also carries a `dynamicFields` resolver.

  ### `dynamicFields` input on `updateDecisionComponent`

  `updateDecisionComponent` accepts a `dynamicFields` input for adding, removing, or updating dynamic field values via the `@oneOf` `UnderwritingDynamicFieldInput`.

  ### Dynamic field types

  New types: `UnderwritingDynamicField`, `UnderwritingDynamicFieldSchema`, and `UnderwritingDynamicFieldSensitiveFields`. New enums: `UnderwritingDynamicFieldKind` (`CHOICE`, `GROUP`, `SCALAR`) and `UnderwritingDynamicFieldType` (`CHECKBOX`, `CURRENCY`, `DATE_PICKER`, `SELECT`, `SELECT_MULTIPLE`, `TEXTAREA`, `TEXT_FIELD`, `TEXT_FIELD_MASKED`).
</Update>

<Update label="June 30, 2026" tags={["Fixed"]}>
  ### PCI Certification Check items for multi-provider applications

  The PCI Certification Check decision component correctly creates and labels distinct items per software provider when an application has multiple providers.
</Update>

<Update label="June 26, 2026" tags={["Changed"]}>
  ### PCI Certification Check evaluates software providers

  The PCI Certification Check decision component evaluates application software provider names against the Visa PCI listing registry, returning `ACCEPTED` or `ACTION_REQUIRED` status with detailed review data per provider.

  ### Software provider removal updates PCI Certification Check

  Removing a software provider name from an application automatically excludes its PCI Certification Check items. Re-adding the provider re-includes them.
</Update>

<Update label="June 24, 2026" tags={["Fixed"]}>
  ### `revealChange` and `sensitiveChanges` fix for one-sided PII changes

  `revealChange` and `sensitiveChanges` on `ApplicationEvent` no longer fail on one-sided PII changes — such as a field first populated or cleared — where the serializer omits the absent value. Change history for those events is now viewable.
</Update>

<Update label="June 19, 2026" tags={["Changed"]}>
  ### `legalEntityName` validation relaxed on sole proprietors

  `legalEntityName` no longer needs to match the owner's name on sole proprietor applications. The value is accepted as-is.

  ### `birthDate` requirement narrowed on person stakeholders

  `birthDate` is only required for owner, guarantor, primary contact, and control person roles. Authorized persons can omit it, but any provided value must still be a date in the past.

  ### Stakeholder requirement on application submission

  Application submission requires at least one person stakeholder with a role. Submissions without a qualifying stakeholder return a `MISSING_STAKEHOLDER` validation error.
</Update>

<Update label="June 18, 2026" tags={["Added", "Fixed"]}>
  ### `revealChange` covers `updateDecisionComponent` edits

  `revealChange` on `ApplicationEvent` returns decrypted before/after values for encrypted PII fields edited via `updateDecisionComponent`, not just direct application input edits.

  ### `sensitiveChanges` null value fix

  `sensitiveChanges` no longer throws a deserialization error when `previousValue` or `updatedValue` is null, which could prevent viewing application change history.
</Update>

<Update label="June 17, 2026" tags={["Added"]}>
  ### `sensitiveChanges` on application events

  `ApplicationEvent` carries a `sensitiveChanges` field with masked before/after values for encrypted PII changes in the audit change log.

  ### `revealChange` resolver on application events

  `revealChange` on `ApplicationEvent` provides audited, per-entry decryption of sensitive change-log values.
</Update>

<Update label="June 16, 2026" tags={["Added"]}>
  ### `softwareProviderNames` on application identity

  `softwareProviderNames` is available on application identity input and output types.

  ### Expanded `revealSensitiveFields` mutation

  `revealSensitiveFields` supports additional PII fields across application identity, bank account, and stakeholder data.
</Update>

<Update label="June 8, 2026" tags={["Fixed"]}>
  ### Underwriting data export columns

  The underwriting data export correctly populates status, decision timestamp, and decline reason columns.
</Update>

<Update label="June 5, 2026" tags={["Breaking change"]}>
  ### Breaking: `declineCodes` input restructured on `updateUnderwritingApplication`

  `declineCodes` changed from `[DeclineCode!]` to `[DeclineCodeInput!]`, a `@oneOf` input. Use `{ addDeclineCodeInput: CODE }` to add or `{ removeDeclineCodeInput: CODE }` to remove individual codes instead of replacing the full set.
</Update>

<Update label="June 4, 2026" tags={["Changed"]}>
  ### Unrestricted `declineCodes` on `updateUnderwritingApplication`

  `updateUnderwritingApplication` accepts any number of decline codes. The previous limit is removed.
</Update>

<Update label="June 2, 2026" tags={["Added"]}>
  ### Decline reasons on underwriting applications

  `UnderwritingApplication` carries a `declineReasons` field, and `updateUnderwritingApplication` accepts `declineCodes`. A `DeclineCode` enum and `DeclineReason` type capture adverse action reasons on declined applications.
</Update>

<Update label="May 29, 2026" tags={["Changed", "Fixed"]}>
  ### Potential exposure rounding and threshold enforcement

  Potential exposure values round to 2 decimal places. Decision components reset to `ACTION_REQUIRED` when recalculated exposure exceeds the threshold.

  ### Owner Sanctions Watchlist Check potential match results

  Owner Sanctions Watchlist Check potential match results now appear correctly in decision component responses.
</Update>

<Update label="May 27, 2026" tags={["Added", "Changed", "Fixed"]}>
  ### `CURRENCY` field type on decision components

  `CURRENCY` is a value on the `DecisionComponentFieldType` enum.

  ### Expanded sanctions decision component results

  Sanctions decision component results include per-source detail and source identification.

  ### `stateOfIncorporation` validation

  `stateOfIncorporation` is validated as a 2-character US state or territory code on underwriting applications and normalized to uppercase on all applications.

  ### Auto-accept on potential exposure threshold drop

  Decision components with potential exposure thresholds are automatically accepted when recalculated exposure drops below the action-required threshold.

  ### Processing activity fields on decision components

  Processing activity field values now appear correctly in decision component fields for underwriting applications.
</Update>

<Update label="May 19, 2026" tags={["Added", "Changed"]}>
  ### State of Incorporation on Business Identity Verification

  The Business Identity Verification decision component includes a state of incorporation verification result and an editable field, auto-populated from upstream evaluation data.

  ### Approval validation on `updateDecisionComponent`

  `updateDecisionComponent` validates required application data when approving a decision component. The mutation returns validation errors (`UnderwritingApplicationFieldValidationError`, `UnderwritingApplicationValidationError`, etc.) if required fields are incomplete.

  ### Real-time potential exposure on approval components

  Potential exposure on approval decision components reflects recalculated values in real time instead of a static result.
</Update>

<Update label="May 13, 2026" tags={["Breaking change", "Added", "Changed"]}>
  ### Breaking: `nameOnAccount` removed from bank account types

  `nameOnAccount` is removed from `UnderwritingBankAccount`, `UnderwritingApplicationAddBankAccountInput`, and `UnderwritingApplicationUpdateBankAccountInput`. Use `underwritingIdentity.legalEntityName` instead.

  ### `stateOfIncorporation` on application identity

  `stateOfIncorporation` is available on application identity input and output types.

  ### Automatic potential exposure recalculation

  Updating application fields that affect potential exposure triggers an automatic recalculation. Affected decision components may reset to `ACTION_REQUIRED`.
</Update>

<Update label="May 6, 2026" tags={["Added"]}>
  ### `type` field and `DecisionComponentReviewType` on `DecisionComponentReview`

  `DecisionComponentReview` carries a `type` field with a `DecisionComponentReviewType` enum (`INQUIRY_DATA`, `REVIEW`), distinguishing supplied inquiry data from match results. Sanctions components include an inquiry data review alongside matches.
</Update>

<Update label="April 27, 2026" tags={["Fixed"]}>
  ### Application submission stall in `CREATED` status

  Applications no longer stall in `CREATED` status when transient upstream communication errors occur during submission.
</Update>

<Update label="April 20, 2026" tags={["Fixed"]}>
  ### `SUBMISSION_FAILED` status on decision components

  Decision components correctly reflect `SUBMISSION_FAILED` status when the upstream evaluation returns no items.
</Update>

<Update label="April 17, 2026" tags={["Changed"]}>
  ### Auto-accept on decision component acceptance

  Accepting a decision component automatically sets all non-`INFORMATIONAL` item statuses to `ACCEPTED`.
</Update>

<Update label="April 16, 2026" tags={["Added", "Changed"]}>
  ### `STATUS_CHANGED` webhook for `SUBMISSION_FAILED`

  The `UNDERWRITING_APPLICATION_UPDATED` webhook fires with a `STATUS_CHANGED` change type when an application reaches `SUBMISSION_FAILED` status.

  ### `averageAnnualSalesAmount` on acceptor processing activity

  `averageAnnualSalesAmount` is available on `AcceptorApplicationProcessingActivityInput` and `AcceptorApplicationProcessingActivityOutput`, previously limited to underwriting-specific processing activity types.

  ### Guidance text replaces status messages for missing website URL

  Decision component results no longer include status messages when a business website URL is missing. Guidance text is the sole indicator.

  ### Annual sales in Alloy journey payloads

  Alloy journey application request payloads include `annual_sales` alongside `monthly_sales`, supporting potential exposure calculations based on annual volume.
</Update>

<Update label="April 14, 2026" tags={["Added", "Changed"]}>
  ### GraphQL schema descriptions

  Enums, types, and error types carry GraphQL descriptions. Schema introspection doubles as documentation.

  ### `guidance` field on decision component items

  `DecisionComponentItem` carries a `guidance` field with actionable text for items in `ACTION_REQUIRED` status.

  ### Attach uploads to multiple decision components

  The attachment upload endpoint accepts an optional `decisionComponentIds` array. Link one upload to multiple decision components in a single request.

  ### Expanded Guarantor Credit Check and Mastercard MATCH results

  Both decision components return expanded result data.

  ### Unrestricted `businessName` length

  The 22-character cap on `businessName` is removed. Business names of any length are accepted.

  ### Website URL optional on MCC Confirmation and Site Inspection

  The website URL field on both decision components is no longer required.
</Update>

<Update label="April 7, 2026" tags={["Added"]}>
  ### `TRUST` business entity type

  `TRUST` is a value on the `BusinessEntityType` enum.

  ### `underwritingReference` and `acceptorReference` on boarding webhooks

  Both fields are included in boarding webhook payloads.
</Update>

<Update label="March 31, 2026" tags={["Added", "Changed", "Deprecated", "Fixed"]}>
  ### `averageAnnualSalesAmount` on processing activity

  `averageAnnualSalesAmount` is available on underwriting processing activity input and output, giving integrators a direct field for annual volume.

  ### `QUESTION` info request type reactivated

  `QUESTION` is back as an active option on `UnderwritingInformationRequestType`.

  ### `UNDERWRITING_APPLICATION_UPDATED` webhook expanded

  This webhook fires for attachment changes, decision component updates, and terminal status transitions. New change types: `DECISION_COMPONENT_UPDATED` and `FILE_DELETED`.

  ### Org-level `DefaultDaysInCycle` config

  When set, `daysInCycle` auto-populates on new underwriting applications if the input omits it.

  ### Relaxed `chargebackRate` and `refundRate` validation

  Both fields are truly optional on `submitUnderwritingApplication`.

  ### Deprecated: `nameOnAccount`

  `nameOnAccount` on `UnderwritingBankAccount` and related input types is deprecated. Use `underwritingIdentity.legalEntityName` instead.

  ### Minor bug fixes and improvements
</Update>

<Update label="March 20, 2026" tags={["Breaking change", "Added", "Changed", "Deprecated", "Fixed"]}>
  ### Breaking: info request input restructured

  `CreateUnderwritingInformationRequestInput` uses a flat `type`-based input instead of the `OneOf` pattern with `customInput`/`fromOptionInput`. Specify a `type` enum value directly — `CreateUnderwritingInformationRequestCustomInput` and `CreateUnderwritingInformationRequestFromOptionInput` are removed.

  ### Breaking: info request option fields removed

  `id`, `isActive`, `createdDateTime`, and `updatedDateTime` are removed from `UnderwritingInformationRequestOptionOutput`.

  ### New info request document types

  Eight new values on `UnderwritingInformationRequestType`: `ARTICLES_OF_INCORPORATION`, `BANK_LETTER_VOIDED_CHECK`, `BANK_STATEMENTS`, `BUSINESS_LICENSE`, `CERTIFICATE_OF_GOOD_STANDING`, `FINANCIAL_STATEMENTS`, `PASSPORT`, and `PROOF_OF_ADDRESS`.

  ### `defaultMerchantCategoryCode` replaces `merchantCategories`

  `merchantCategories` on `UnderwritingApplicationIdentityInput` is deprecated — only a single MCC is supported. Use `defaultMerchantCategoryCode` instead.

  ### Deprecated: `BANK_LETTER`, `VOIDED_CHECK`, and `QUESTION` request types

  Use `BANK_LETTER_VOIDED_CHECK` instead of the first two. `QUESTION` is no longer available as a request option.

  ### Info request output enriched

  `type` and `fulfillmentTypes` are available on underwriting info request output and option output types.

  ### Decision component schema authorization

  `requiredScopes` and `requiredRoles` on `UnderwritingDecisionComponentSchema` expose per-component authorization requirements.

  ### `RISK` decision component result status

  A new `RISK` value on `DecisionComponentResultStatus` supports fraud risk scoring.

  ### Org-scoped info request options

  `underwritingInformationRequestOptions` returns options scoped to the requesting organization, with platform defaults as fallback.

  ### Webhook payload expanded for info requests

  `description` and `fulfillmentTypes` are included in the `UNDERWRITING_APPLICATION_UPDATED` webhook payload for information request events.

  ### Expanded decision component result data

  New result fields across Business Sanctions, MATCH, MCC Confirmation, Owner Identity, Owner ID Fraud, Owner Sanctions, and Site Inspection decision components.

  ### Website Review MCC field

  MCC field status on the Website Review decision component always shows `NOT_VERIFIED`.

  ### Business Sanctions display fix

  Watchlist match results display correctly; "workflow not run" results are hidden.

  ### Partial errors on decision component resolver

  Decision component resolver errors no longer nullify the entire response. Failures surface in the `errors` array with safe defaults for affected fields.

  ### Minor bug fixes and improvements
</Update>
